What routes do I have to set on Windows so that while using OpenVPN I have full Internet connectivity, but if OpenVPN tunnel collapses then my computer has no routes to use and thus has no connectivity.

My computer normally needs the default route 0.0.0.0 mask 0.0.0.0 192.168.1.254. I just need a route that only allowed traffic destined for the OpenVPN server's IP. The traffic has to go through 192.168.1.254, however, as that is my home network's Internet gateway router thingy.

1 Answer
1

You can't do it. It is impossible. What is a VPN? It is a virtual network that is tunneled across the internet. This means in order to actually establish the VPN you first need internet access. If you remove your "normal internet" route and try to force all traffic down the VPN it will fail because the VPN can't even be established because there is no internet.

What came first, the chick or the egg?

ummmm actually I just had an idea how to get this working "in theory". I'm a genius if this works, modest aren't I? Let me know if it does ;-)

Change your default gateway on your PC to be the private IP address of the VPN server.
Now you need to know the public IP address of the VPN server you connect to and modify your routing table. Hard to explain without an example so here it is.

Your local IP range is 192.168.1.x and your default gateway (router) is 192.168.1.254.

When you connect to the VPN server you connect on 67.35.67.89 (public IP). Once connected it assigns you an IP of 192.168.3.65 and changes your default gateway to the VPN servers private IP of 192.168.3.1 (this change means all internet traffic is now routed through the VPN server). This gives us the information needed to configure your PC now how you want to. Disconnect the VPN.

Now edit your TCP/IP settings and change the default gateway to 192.168.3.1 (so all internet traffic is routed through the VPN server). All internet traffic will now fail unless the VPN is up. Now open a command prompt and type the following:

route add 67.35.67.89 mask 255.255.255.255 192.168.1.254 metric 1 -p

This add a static route to your windows PC which will override the default gateway only when you try to connect to 67.35.67.89 (your VPN server). When it matches this entry it will go out your router (192.168.1.254) onto the internet normally. This one rule will allow the VPN to be established then all other traffic will go across the VPN.

Note: when setting the default gateway you will get a warning about it being on a different subnet, just accept it and contine.

I have never done this so i can't say it will definitly work but I know a lot about routing and from the "rules" of routing this should work for you. If it does please up vote this answer as it is actually quite difficult to work this out and I doubt you will find this solution anywhere else.

EDIT: I tested this when I got home and I was right, it can be done this way ;-)